Two Russian nationals arrested in takedown of Phobos ransomware infrastructure

Two Russian nationals accused of using the Phobos ransomware to attack more than 1,000 entities were arrested this week as part of a global law enforcement takedown of the group.

The U.S. Department of Justice unsealed an array of criminal charges on Tuesday against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, for their alleged roles in using Phobos to earn more than $16 million. 

The announcement comes one day after the leak site of 8Base — a ransomware operation with ties to Phobos — was replaced with a law enforcement splash page. Two men and two women were arrested after raids on locations in Phuket, Thailand in an operation police in the country called “PHOBOS AETOR.”

“Berezhnoy and Glebov were arrested this week as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure,” the Justice Department said. The statement did not specify where Berezhnoy and Glebov are currently detained.

“According to court documents, Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names ‘8Base’ and ‘Affiliate 2803,’ among others, that victimized public and private entities through the deployment of Phobos ransomware.” the DOJ said.

The two, alongside several others, are accused of running the ransomware operations and attacking hundreds of organizations. The DOJ said they included a children’s hospital, multiple healthcare providers and several colleges. 

After successful Phobos ransomware attacks, affiliates of the group would pay fees to administrators for decryption keys and more. Berezhnoy and Glebov “frequently received payments from co-conspirators during the course of the conspiracy," according to prosecutors.  

The indictment notes that in some cases, the group used a social media account on X to broadcast their attacks and further extort victim organizations. Unlike many other high-profile ransomware gangs, the size of victims’ payments were relatively smaller. The majority named in the indictment paid ransoms under $100,000, with at least one paying $12,000 worth of bitcoin. 

Berezhnoy and Glebov each face 11 charges that include wire fraud, computer fraud, damage to protected computers, extortion and more. If convicted, the two are facing maximum sentences of 120 years in prison.

The DOJ noted that the charges against Berezhnoy and Glebov come after the recent arrest of Russian national Evgenii Ptitsyn — an alleged Phobos administrator who was extradited from South Korea in November. 

In its own statement, Europol said another Phobos actor was arrested in Italy in 2023 after French authorities issued an arrest warrant. 

Phobos’ footprint

The arrests this week coincided with the takedown of more than 100 servers used as part of the Phobos scheme by the FBI, law enforcement agencies in Germany, Europol and more.

“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks,” Europol explained, adding that more than 14 countries were involved in the operation to take the group down.

Phobos was particularly damaging because it focused its efforts on attacking smaller businesses and organizations that typically lacked the kind of cybersecurity protections needed to defend against ransomware.  

“Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact,” Europol said. 

“This group has been particularly aggressive in its double extortion tactics, not only encrypting victims' data but also threatening to publish stolen information unless a ransom was paid.”

U.S. authorities warned in February 2024 that Phobos attacks were impacting state, local, tribal, and territorial governments — damaging “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.”